Daily Archives: March 19, 2018

Windows 10 S (for Surface) and Cortana force you to use Edge and Bing, and Windows Mail forces links to open in Edge

Posted on by

Windows 10 S, Microsoft’s new locked-down operating system that comes bundled with the Surface Laptop, won’t allow you to change the default Web browser away from Microsoft’s own Edge. Furthermore, Edge’s default search provider can’t be altered: Bing is all you get.

Curiously you can download other browsers from the Windows Store, such as Opera Mini, but Windows 10 S won’t let you set it as the default browser: if you try to open an HTML file, or click a link in another app, it will always open in Edge, according to Microsoft’s official FAQ on the topic.

The FAQ uses very direct language: “Microsoft Edge is the default web browser on Microsoft 10 S. The default search provider in Microsoft Edge and Internet Explorer cannot be changed.” It isn’t clear if OEMs will be able to override this feature of Windows 10 S.

It’s worth noting at this juncture that Windows 10 S, much like its spiritual predecessor Windows RT, will only run apps that you download from the Windows Store—and currently, neither Firefox or Chrome have been packaged up for the Windows Store. I can’t imagine that Google will be super-keen to bring Chrome to the Windows Store if Windows 10 S users can’t change the default browser.

Source: Windows 10 S forces you to use Edge and Bing | Ars Technica

Edge might be Windows 10’s built-in browser, but it definitely isn’t the most popular browser — NetMarketShare reported just under 4 percent usage share as of February 2018, slipping well below Chrome’s 59 percent. And now, it looks like the company may be trying to boost its share through software policies. The company is testing a Windows 10 preview release in the Skip Ahead ring which opens all Windows Mail web links in Edge, regardless of your app defaults. It provides the “best, most secure and consistent experience,” Microsoft argued.

The move isn’t coming completely out of the blue. Microsoft required Cortana users to rely on Bing search and open any web content in Edge, so this is arguably an extension of that policy.

Even so, the move is likely to irk at least some Windows 10 users. To start, its claims are highly subjective. Edge certainly isn’t immune to security exploits, and relying on it could actually create an inconsistent experience if you aren’t completely invested in Microsoft software. If you use Chrome on an Android phone, wouldn’t you want every link on your PC to open in Chrome so that they’re easier to retrieve when you’re on your handset? We can’t imagine that European antitrust regulators would be happy about Microsoft locking users into its own browser, either. We’ve asked Microsoft if it can comment on the concerns and will let you know if it has something to say.

Microsoft tests forcing Windows Mail users to open links in Edge

Booking Flights: Our Data Flies with Us – the huge dataset described

Posted on by

Every time you book a flight, you generate personal data that is ripe for harvesting: information like the details on an ID card, your address, your passport information and your travel itinerary, as well as your frequent-flyer number, method of payment and travel preferences (dietary restrictions, mobility restrictions, etc.). All that data becomes part of a registry, in the form of a Passenger Name Record (PNR) – a generic name given to records created by aircraft operators or their authorised agents for each journey booked by or on behalf of any passenger.

When we book a flight or travel itinerary, the travel agent or booking website creates our PNR. Most airlines or travel agents choose to host their PNR databases on a specialised computer reservation system (CRS) or a Global Distribution System (GDS), which coordinates the information from all the travel agents and airlines worldwide, to avoid things like duplicated flight reservations. This means that CRSs/GDSs centralise and store vast amounts of data about travellers. Though we are focusing on air travel here, it is important to note that the PNR is not only flight-related. It can also include other services such as car rentals, hotel reservations and train trips.
[…]
A PNR isn’t necessarily created all at once. If we use the same agency or airline to book our flight and other services, like a hotel, the agency will use the same PNR. Therefore, information from many different sources will be gradually added to our PNR through different channels over time. That means the dataset is much larger than just the flight info: a PNR can contain data as important as our exact whereabouts at specific points in time.

What are the implications of all this for our privacy? The journalist and travel advocate Edward Hasbrouck has been researching and denouncing the PNR’s effects on privacy in the US for decades. In Europe, organisations like European Digital Rights (EDRi) have also criticised PNRs extensively through their advocacy and awareness campaigns. According to Hasbrouck:

PNR data reveals our associations, our activities, and our tastes and preferences. It shows where we went, when, with whom, for how long, and at whose expense. Through departmental and project billing codes, business travel PNR’s reveal confidential internal corporate and other organisation structures and lines of authority and show which people were involved in work together, even if they travelled separately. PNRs typically contain credit card numbers, telephone numbers, email addresses, and IP addresses, allowing them to be easily merged with financial and communications metadata

Your individual PNR also contains a section for free-text “remarks” that can be entered by the airline, the travel agency, a tour operator, a third-party call centre or the staff of the ground-handling contractor. Such texts might include sensitive and private information, like special meal requests and particular medical needs. This may seem innocuous, but information like special meal requests can indicate our religious or political affiliations, especially when it is cross-referenced with other details included in our PNR. Regardless of whether the profile assigned to us is accurate, the repercussions and implications of that profiling are concerning – especially in the absence of public awareness about them.
[…]
In the United States, PNRs are stored in the Automated Targeting System-Passenger (ATS-P), where they become part of an active database for up to five years (after the first six months, they are de-personalised and masked). After five years, the data is transferred to a dormant database for up to ten more years, where it remains available for counter-terrorism purposes for the full duration of its 15-year retention.

According to Edward Hasbrouck, PNRs cannot be deleted: once created, they are archived and retained in the Computer Reservation Data and You and/or Global Distribution Data and You (CRS/GDS), and can still be viewed, even if we never bought a ticket and cancelled our reservations:

“CRS’s retain flown, archived, purged, and deleted PNR’s indefinitely. It doesn’t really matter whether governments store copies of entire PNR’s or only portions of them, whether they filter out certain especially “sensitive” data from their copies of PNR’s, or for how long they retain them. As long as a government agency has the record locator or the airline name, flight number, and date, they can retrieve the complete PNR from the CRS. That’s especially true for the U.S. government, since even PNR’s created by airlines, travel agencies, tour operators, or airline offices in other countries, for flights within and between other countries that don’t touch the USA, are routinely stored in CRS’s based in the USA.
[…]
Under EU regulations, governments can retain PNR data for a maximum of five years, to allow law-enforcement officials to access it if necessary. The regulations state that after six months, the data is masked out or anonymised. But according to research by the EDRi, records are not necessarily anonymised or encrypted, and, in fact, the data can be easily re-personalised.
[…]
PNR is a relatively old system, pre-dating the internet as we know it today. Airlines have built their own systems on top of this, allowing passengers to make adjustments to their reservations using a six-character booking confirmation number or PNR locator. But although the PNR system was originally designed to facilitate the sharing of information rather than the protection of it, in the current digital environment and with the cyber-threats facing our data online, this system needs to be updated to keep up with the existing risks. PNRs are information-rich files are not only of interest for governments; they are also valuable to third parties – whether corporations or adversaries. Potential uses of the data could include anything from marketing research to hacks aimed at obtaining our personal information for financial scams or even doxxing or inflicting harm on activists.

According to Hasbrouck, the controls over who can access PNR data are insufficient, and there are no limitations on how CRS/GDS users (whether governments or travel agents) can access it. Furthermore, there are no records of when a CRS/GDS user has retrieved a PNR, from where they retrieved the record, or for what purpose. This means that any travel agent or any government can retrieve our PNR and access all the data it contains, no questions asked and without leaving a trace.
[…]
Photos of our tickets or luggage tags pose particular risks because of the sensitive information printed on them. In addition to our name and flight information, they also include our PNR locator, though sometimes only inside the barcode. Even if we cannot “see” information in the barcodes or sequences of letters and numbers on our tickets, other people may be able to derive meaning from them.

Source: Booking Flights: Our Data Flies with Us – Our Data Our Selves

Palantir has secretly been using New Orleans to test its predictive policing technology, was given huge access to lots of private data without oversight due to loophole

Posted on by

The program began in 2012 as a partnership between New Orleans Police and Palantir Technologies, a data-mining firm founded with seed money from the CIA’s venture capital firm. According to interviews and documents obtained by The Verge, the initiative was essentially a predictive policing program, similar to the “heat list” in Chicago that purports to predict which people are likely drivers or victims of violence.

The partnership has been extended three times, with the third extension scheduled to expire on February 21st, 2018. The city of New Orleans and Palantir have not responded to questions about the program’s current status.

Predictive policing technology has proven highly controversial wherever it is implemented, but in New Orleans, the program escaped public notice, partly because Palantir established it as a philanthropic relationship with the city through Mayor Mitch Landrieu’s signature NOLA For Life program. Thanks to its philanthropic status, as well as New Orleans’ “strong mayor” model of government, the agreement never passed through a public procurement process.

In fact, key city council members and attorneys contacted by The Verge had no idea that the city had any sort of relationship with Palantir, nor were they aware that Palantir used its program in New Orleans to market its services to another law enforcement agency for a multimillion-dollar contract.

Even within the law enforcement community, there are concerns about the potential civil liberties implications of the sort of individualized prediction Palantir developed in New Orleans, and whether it’s appropriate for the American criminal justice system.

“They’re creating a target list, but we’re not going after Al Qaeda in Syria,” said a former law enforcement official who has observed Palantir’s work first-hand as well as the company’s sales pitches for predictive policing. The former official spoke on condition of anonymity to freely discuss their concerns with data mining and predictive policing. “Palantir is a great example of an absolutely ridiculous amount of money spent on a tech tool that may have some application,” the former official said. “However, it’s not the right tool for local and state law enforcement.”

Six years ago, one of the world’s most secretive and powerful tech firms developed a contentious intelligence product in a city that has served as a neoliberal laboratory for everything from charter schools to radical housing reform since Hurricane Katrina. Because the program was never public, important questions about its basic functioning, risk for bias, and overall propriety were never answered.
[…]
Palantir’s prediction model in New Orleans used an intelligence technique called social network analysis (or SNA) to draw connections between people, places, cars, weapons, addresses, social media posts, and other indicia in previously siloed databases. Think of the analysis as a practical version of a Mark Lombardi painting that highlights connections between people, places, and events. After entering a query term — like a partial license plate, nickname, address, phone number, or social media handle or post — NOPD’s analyst would review the information scraped by Palantir’s software and determine which individuals are at the greatest risk of either committing violence or becoming a victim, based on their connection to known victims or assailants.

The data on individuals came from information scraped from social media as well as NOPD criminal databases for ballistics, gangs, probation and parole information, jailhouse phone calls, calls for service, the central case management system (i.e., every case NOPD had on record), and the department’s repository of field interview cards. The latter database represents every documented encounter NOPD has with citizens, even those that don’t result in arrests. In 2010, The Times-Picayune revealed that Chief Serpas had mandated that the collection of field interview cards be used as a measure of officer and district performance, resulting in over 70,000 field interview cards filled out in 2011 and 2012. The practice resembled NYPD’s “stop and frisk” program and was instituted with the express purpose of gathering as much intelligence on New Orleanians as possible, regardless of whether or not they committed a crime.
[…]
NOPD then used the list of potential victims and perpetrators of violence generated by Palantir to target individuals for the city’s CeaseFire program. CeaseFire is a form of the decades-old carrot-and-stick strategy developed by David Kennedy, a professor at John Jay College in New York. In the program, law enforcement informs potential offenders with criminal records that they know of their past actions and will prosecute them to the fullest extent if they re-offend. If the subjects choose to cooperate, they are “called in” to a required meeting as part of their conditions of probation and parole and are offered job training, education, potential job placement, and health services. In New Orleans, the CeaseFire program is run under the broader umbrella of NOLA For Life, which is Mayor Landrieu’s pet project that he has funded through millions of dollars from private donors.

According to Serpas, the person who initially ran New Orleans’ social network analysis from 2013 through 2015 was Jeff Asher, a former intelligence agent who joined NOPD from the CIA. If someone had been shot, Serpas explained, Asher would use Palantir’s software to find people associated with them through field interviews or social media data. “This data analysis brings up names and connections between people on FIs [field interview cards], on traffic stops, on victims of reports, reporting victims of crimes together, whatever the case may be. That kind of information is valuable for anybody who’s doing an investigation,” Serpas said.
[…]
Of the 308 people who participated in call-ins from October 2012 through March 2017, seven completed vocational training, nine completed “paid work experience,” none finished a high school diploma or GED course, and 32 were employed at one time or another through referrals. Fifty participants were detained following their call-in, and two have since died.

By contrast, law enforcement vigorously pursued its end of the program. From November 2012, when the new Multi-Agency Gang Unit was founded, through March 2014, racketeering indictments escalated: 83 alleged gang members in eight gangs were indicted in the 16-month period, according to an internal Palantir presentation.
[…]
Call-ins declined precipitously after the first few years. According to city records, eight group call-ins took place from 2012 to 2014, but only three took place in the following three years. Robert Goodman, a New Orleans native who became a community activist after completing a prison sentence for murder, worked as a “responder” for the city’s CeaseFire program until August 2016, discouraging people from engaging in retaliatory violence. Over time, Goodman noticed more of an emphasis on the “stick” component of the program and more control over the non-punitive aspects of the program by city hall that he believes undermined the intervention work. “It’s supposed to be ran by people like us instead of the city trying to dictate to us how this thing should look,” he said. “As long as they’re not putting resources into the hoods, nothing will change. You’re just putting on Band-Aids.”

After the first two years of Palantir’s involvement with NOPD, the city saw a marked drop in murders and gun violence, but it was short-lived. Even former NOPD Chief Serpas believes that the preventative effect of calling in dozens of at-risk individuals — and indicting dozens of them — began to diminish.

“When we ended up with nearly nine or 10 indictments with close to 100 defendants for federal or state RICO violations of killing people in the community, I think we got a lot of people’s attention in that criminal environment,” Serpas said, referring to the racketeering indictments. “But over time, it must’ve wore off because before I left in August of ‘14, we could see that things were starting to slide”

Nick Corsaro, the University of Cincinnati professor who helped build NOPD’s gang database, also worked on an evaluation of New Orleans’ CeaseFire strategy. He found that New Orleans’ overall decline in homicides coincided with the city’s implementation of CeaseFire program, but the Central City neighborhoods targeted by the program “did not have statistically significant declines that corresponded with November 2012 onset date.”
[…]
The secrecy surrounding the NOPD program also raises questions about whether defendants have been given evidence they have a right to view. Sarah St. Vincent, a researcher at Human Rights Watch, recently published an 18-month investigation into parallel construction, or the practice of law enforcement concealing evidence gathered from surveillance activity. In an interview, St. Vincent said that law enforcement withholding intelligence gathering or analysis like New Orleans’ predictive policing work effectively kneecaps the checks and balances of the criminal justice system. At the Cato Institute’s 2017 Surveillance Conference in December, St. Vincent raised concerns about why information garnered from predictive policing systems was not appearing in criminal indictments or complaints.

“It’s the role of the judge to evaluate whether what the government did in this case was legal,” St. Vincent said of the New Orleans program. “I do think defense attorneys would be right to be concerned about the use of programs that might be inaccurate, discriminatory, or drawing from unconstitutional data.”

If Palantir’s partnership with New Orleans had been public, the issues of legality, transparency, and propriety could have been hashed out in a public forum during an informed discussion with legislators, law enforcement, the company, and the public. For six years, that never happened.

Source: Palantir has secretly been using New Orleans to test its predictive policing technology – The Verge

One of the big problems here is that there is no knowledge and hardly any oversight on the program. There is no knowledge if the system is being implemented fairly or cost effectively (costs are huge!) or even if it works. It seemed to have worked for a while but the effects seemed also to drop off after two years in operations, mainly because they used the “stick” method to counter crime but more and more got rid of the “carrot”. The amount of private data given to Palantir without any discussion or consent is worrying to say the least.

The Lottery Hackers

Posted on by

That’s when it hit him. Right there, in the numbers on the page, he noticed a flaw—a strange and surprising pattern, like the cereal-box code, written into the fundamental machinery of the game. A loophole that would eventually make Jerry and Marge millionaires, spark an investigation by a Boston Globe Spotlight reporter, unleash a statewide political scandal and expose more than a few hypocrisies at the heart of America’s favorite form of legalized gambling.
[…]
This particular game was called Winfall. A ticket cost $1. You picked six numbers, 1 through 49, and the Michigan Lottery drew six numbers. Six correct guesses won you the jackpot, guaranteed to be at least $2 million and often higher. If you guessed five, four, three, or two of the six numbers, you won lesser amounts. What intrigued Jerry was the game’s unusual gimmick, known as a roll-down: If nobody won the jackpot for a while, and the jackpot climbed above $5 million, there was a roll-down, which meant that on the next drawing, as long as there was no six-number winner, the jackpot cash flowed to the lesser tiers of winners, like water spilling over from the highest basin in a fountain to lower basins. There were lottery games in other states that offered roll-downs, but none structured quite like Winfall’s. A roll-down happened every six weeks or so, and it was a big deal, announced by the Michigan Lottery ahead of time as a marketing hook, a way to bring bettors into the game, and sure enough, players increased their bets on roll-down weeks, hoping to snag a piece of the jackpot.

The brochure listed the odds of various correct guesses. Jerry saw that you had a 1-in-54 chance to pick three out of the six numbers in a drawing, winning $5, and a 1-in-1,500 chance to pick four numbers, winning $100. What he now realized, doing some mental arithmetic, was that a player who waited until the roll-down stood to win more than he lost, on average, as long as no player that week picked all six numbers. With the jackpot spilling over, each winning three-number combination would put $50 in the player’s pocket instead of $5, and the four-number winners would pay out $1,000 in prize money instead of $100, and all of a sudden, the odds were in your favor. If no one won the jackpot, Jerry realized, a $1 lottery ticket was worth more than $1 on a roll-down week—statistically speaking.

“I just multiplied it out,” Jerry recalled, “and then I said, ‘Hell, you got a positive return here.’”
[…]
This was an uncomfortable leap for a guy with no experience in gambling, but if he stopped now, he would never know if his theory was correct. During the next roll-down week, he returned to Mesick and made a larger bet, purchasing $3,400 in Winfall tickets. Sorting 3,400 tickets by hand took hours and strained his eyes, but Jerry counted them all right there at the convenience store so that Marge would not discover him. This time he won $6,300—an impressive 46 percent profit margin. Emboldened, he bet even more on the next roll-down, $8,000, and won $15,700, a 49 percent margin.
[…]
he lottery is like a bank vault with walls made of math instead of steel; cracking it is a heist for squares. And yet a surprising number of Americans have pulled it off. A 2017 investigation by the Columbia Journalism Review found widespread anomalies in lottery results, difficult to explain by luck alone. According to CJR’s analysis, nearly 1,700 Americans have claimed winning tickets of $600 or more at least 50 times in the last seven years, including the country’s most frequent winner, a 79-year-old man from Massachusetts named Clarance W. Jones, who has redeemed more than 10,000 tickets for prizes exceeding $18 million.
[…]
he and Marge were willing to do the grunt work, which, as it turned out, was no small challenge. Lottery terminals in convenience stores could print only 10 slips of paper at a time, with up to 10 lines of numbers on each slip (at $1 per line), which meant that if you wanted to bet $100,000 on Winfall, you had to stand at a machine for hours upon hours, waiting for the machine to print 10,000 tickets. Code in the purchase. Push the “Print” button. Wait at least a full minute for the 10 slips to emerge. Code in the next purchase. Hit “Print.” Wait again. Jerry and Marge knew all the convenience store owners in town, so no one gave them a hard time when they showed up in the morning to print tickets literally all day. If customers wondered why the unassuming couple had suddenly developed an obsession with gambling, they didn’t ask. Sometimes the tickets jammed, or the cartridges ran out of ink. “You just have to set there,” Jerry said.

The Selbees stacked their tickets in piles of $5,000, rubber-banded them into bundles and then, after a drawing, convened in their living room in front of the TV, sorting through tens or even hundreds of thousands of tickets, separating them into piles according to their value (zero correct numbers, two, three, four, five). Once they counted all the tickets, they counted them again, just to make sure they hadn’t missed anything. If Jerry had the remote, they’d watch golf or the History Channel, and if Marge had it, “House Hunters” on HGTV. “It looked extremely tedious and boring, but they didn’t view it that way,” recalled their daughter Dawn. “They trained their minds. Literally, they’d pick one up, look at it, put it down. Pick one up, put it down.” Dawn tried to help but couldn’t keep pace; for each ticket she completed, Jerry or Marge did 10.
[…]
That June, Jerry created a corporation to manage the group. He gave it an intentionally boring name, GS Investment Strategies LLC, and started selling shares, at $500 apiece, first to the kids and then to friends and colleagues in Evart. Jerry would eventually expand the roster to 25 members, including a state trooper, a parole officer, a bank vice president, three lawyers and even his personal accountant, a longtime local with a smoker’s scratchy voice named Steve Wood. Jerry would visit Wood’s storefront office downtown, twist the “Open” sign to “Closed,” and seek his advice on how to manage the group.
[…]
And business was good. By the spring of 2005, GS Investment Strategies LLC had played Winfall on 12 different roll-down weeks, the size of the bets increasing along with the winnings. First $40,000 in profits. Then $80,000. Then $160,000. Marge squirreled her share away in a savings account. Jerry bought a new truck, a Ford F350, and a camping trailer that hooked onto the back of it. He also started buying coins from the U.S. Mint as a hedge against inflation, hoping to protect his family from any future catastrophe. He eventually filled five safe deposit boxes with coins of silver and gold.
[…]
A mathematics major in his final semester, Harvey had been researching lottery games for an independent study project, comparing the popular multistate games Powerball and MegaMillions to see which offered players a better shot at winning. He’d also analyzed different state games, including Cash WinFall, and it hadn’t taken him long to spot its flaw: On a roll-down week, a $2 lottery ticket was worth more than $2, mathematically.

Within days, Harvey had recruited some 50 people to pony up $20 each, for a total of $1,000, enough to buy 500 Cash WinFall tickets for the February 7 roll-down drawing. The Patriots won the Super Bowl on February 6, and the following day, the MIT group took home $3,000, for a $2,000 profit.

Curiously enough, the MIT students weren’t the only ones playing Cash WinFall for high stakes that day. A biomedical researcher at Boston University, Ying Zhang, had also discovered the flaw, after an argument with friends about the nature of the lottery. Believing it to be exploitative, Zhang had researched the Massachusetts State Lottery to bolster his point. Then he found the glitch in Cash WinFall, and as happens so often in America, a skeptic of capitalism became a capitalist. Zhang encouraged friends to play and formed his own betting club, Doctor Zhang Lottery Club Limited Partnership. His group began wagering between $300,000 and $500,000 on individual roll-down weeks, and eventually Zhang quit his job as a biomedical researcher to focus on the lottery full time. He bought tickets in bulk at a convenience store near his home, in the Boston suburb of Quincy, and stored the losing tickets in boxes in his attic until the weight made his ceiling crack.

As energetically as Zhang played the game, however, he couldn’t match the budding lottery moguls at MIT. After the first roll-down, Harvey assembled 40 to 50 regular players—some of them professors with substantial resources—and recruited his classmate, Yuran Lu, to help manage the group. Lu was an electrical engineering, computer science and math major with a mischievous streak: one time, to make a point about security, he’d stolen 620 passwords from students and professors. Now he helped Harvey form a corporation, named Random Strategies LLC, after their dorm. Their standard wager on a roll-down week was $600,000—300,000 tickets. Unlike the Selbees, who allowed the computer to pick numbers for them (“Quic Pics”), the MIT students preferred to choose their own, which avoided duplicates but also meant that the students had to spend weeks filling in hundreds of thousands of tiny ovals on paper betting slips.

Source: The Lottery Hackers – The Huffington Post

A great article on how three groups of people were hacking this lottery and how it all ended.